@alnico Don't forget, you can configure OpenVPN to carry both IPv4 and IPv6.

@mix_room said in TCP-ACK blocked when using IPV6 over GIF over IPSec: Why are you even using that GIF tunnel? Why don't you run IPv6 directly over IPSec? Because the documentation states that you can not do this with IPsec. One other thing, IPSec was originally designed for IPv6 and back ported to IPv4. So, it's highly unlikely it would not support IPv6.

No not yet as I doubt I'd get anyone on the phone who would even know what IPv6 is. Plus my online account is having problems so I can't post on their forums either at the moment.

Yeah for sure. Next time try to be useful bc nothing you say is a solution, nor with such a genius you have exposed how to attain the correct configuration without adding the routes to NAT. But you won't, cause all you do is noise. Take the bicycle and have a merry xmas, i'm done with you. ffs.

Yep, the gateway address is the address of the AVM box (fe80: ...). Man, things could be so easy. Let's get rid of that old IPv4 crap and move on to the future. Can't understand why this causes so much trouble at the ISP's site. Thank you all for your help and thanks to @JeGr for describing the prefix delegation config. I will walk trough this once more to see if I find some config that works for me. But yes, I will check out what other providers can offer. If I find one that is not too expensive and provides a static prefix, I'm gone. Have a nice weekend!

@lifespeed said in setup for server behind Comcast dynamic IPV6, VLANs, publicly reachable: Yes, I am well aware that Comcast's residential service with dynamic IP keeps the same IP address for months or even longer. There's a setting on the WAN page "Do not allow PD/Address release" that should be selected to prevent getting a different prefix. Have you selected it?

@aljames said in radvd.conf - invalid all-zeros prefix: I’ll need to educate myself more on it. IPv6 Essentials is an excellent reference. In addition to the things mentioned above, there are also some things that go to improved performance, such as fixed length headers and more. Here is another excellent reason to move to IPv6. Despite clear warnings, Europe is out of IP addresses—again There haven't been enough IPv4 addresses for several years and the situation is getting worse.

Dear all, Thank you. I will keep plugging at this; will keep posted as need arises. Cheers!

@DraNick The link local address normally comes from the MAC, but can be changed, for example my LAN gateway address. However, what you can try is changing the MAC address, so that it will provide the correct link local address. That can be done on the WAN interface page. I suspect what you're seeing is pfSense is not allowing you to set a 2nd link local address, as only one is allowed. I don't know if there's a way to change the WAN link local address directly, as happens on the LAN side. When a link local address is created from the MAC, fffe is inserted in the middle and the 7th bit is inverted. Also, the link local address only has to be unique on the local connection. You could use the exact same one on another interface. For example, I have fe80::1:1 on 2 interfaces as shown below. inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x2 inet6 fe80::1:1%bge0 prefixlen 64 scopeid 0x1 The difference is the interface ID. As I mentioned, link local addresses are often used for routing, as a router only has to know how to reach the next hop. In fact, with point to point links you don't even need any IP address. All you need is the interface that connects to the next router.

Like I said turn off default logging and only log what you want... So you can set it up to block and log your tcp stuff, but not the multicast

@chrcoluk I downloaded 2.5 and tested this today. Based on my results i created https://redmine.pfsense.org/issues/9893 If you have any information you could add to the new bug it would be appreciated.

Or ignore the logs. Or make rules that suppress the logs. Whether or not you enable IPv6 really depends on whether or not you have IPv6.

@JKnott I finally figured it out. "Track Interface" is the option that seems to be the right way to solve my problem.

@adhodgson said in IPV6 working on LAN but not pfSense box itself: Could I potentially use one of the /64s on the WAN side? No point in doing that. You already have a /128 address on the WAN and the link local address is used for routing. That's all you need. I had a problem with my ISP a few months ago. I used Wireshark and Packet Capture to see what was happening. I also tethered my notebook computer to my cell phone so that I could test from outside my network. With that, I was able to determine that the problem was not on my network and was even able to identify, by host name, the failing system at my ISP. One thing I did, which helped is I used a 5 port switch, configured as a data tap, to monitor the traffic between my modem and firewall, when pfSense was booting up.

after losing 2 days of sleep the problem was solved after disabling "Block private networks and loopback addresses" and/or "Block bogon networks" that i had on the WAN interface it was mentioned here https://redmine.pfsense.org/issues/9631 also a route come out of nowhere after cheking the routing table i had the ip from general settings / DNS inside the routing table

@amello said in IPv6 address allocated but not working: It is u-verse, so DSL on dry line. A couple of my friends have ADSL and get IPv6. I don't know the details though. For what I read so far. It seems that that Aris can handle IP Passthrough and Default Server, and as I understood the latter is like putting a host in DMZ. Perhaps the people in the forums can help with that.

@JKnott They could set dummy addresses (albeit not practical) not needing to know if they're assigned to a host or not. But it's academic at this point. It's technically possible but not practical. It does require the ISP to delegate the reverse records but my ISP is not going to do that.

@lohphat said in pfsense and IPv6 default behavior: I understand that and agree however multicast is intrinsic to IPv6 not optional with IPv4. IPv6 internal consistency of multicast groups replacing broadcast and other functionality means that it should either be enabled fully or a clear, clean setting to enable multimedia multicast. For stuff directly on the LAN, multicast works fine and pfSense is not involved, except for it's own needs. It's only when you go beyond that you have to enable it. This is the same for every just about everything. By default, firewalls block everything coming in.

@Derelict Would you believe it. That was the last place I never check. Doh ! Thanks.